More little misc patches. Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx> Index: refpolicy-2.20210203/policy/modules/admin/acct.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/admin/acct.te +++ refpolicy-2.20210203/policy/modules/admin/acct.te @@ -57,6 +57,7 @@ init_use_fds(acct_t) init_use_script_ptys(acct_t) init_exec_script_files(acct_t) +logging_search_logs(acct_t) logging_send_syslog_msg(acct_t) miscfiles_read_localization(acct_t) Index: refpolicy-2.20210203/policy/modules/admin/bootloader.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/admin/bootloader.te +++ refpolicy-2.20210203/policy/modules/admin/bootloader.te @@ -44,6 +44,7 @@ dev_node(bootloader_tmp_t) allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio }; allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; +allow bootloader_t self:netlink_selinux_socket connected_socket_perms; allow bootloader_t bootloader_etc_t:file read_file_perms; # uncomment the following lines if you use "lilo -p" @@ -61,6 +62,7 @@ allow bootloader_t bootloader_tmp_t:dir files_root_filetrans(bootloader_t, bootloader_tmp_t, file) kernel_getattr_core_if(bootloader_t) +kernel_read_crypto_sysctls(bootloader_t) kernel_read_network_state(bootloader_t) kernel_read_system_state(bootloader_t) kernel_read_software_raid_state(bootloader_t) @@ -152,8 +154,12 @@ miscfiles_read_localization(bootloader_t mount_rw_runtime_files(bootloader_t) +selinux_get_enforce_mode(bootloader_t) selinux_getattr_fs(bootloader_t) +selinux_search_fs(bootloader_t) +selinux_use_status_page(bootloader_t) seutil_read_bin_policy(bootloader_t) +seutil_read_config(bootloader_t) seutil_read_file_contexts(bootloader_t) seutil_read_loadpolicy(bootloader_t) seutil_dontaudit_search_config(bootloader_t) Index: refpolicy-2.20210203/policy/modules/admin/brctl.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/admin/brctl.te +++ refpolicy-2.20210203/policy/modules/admin/brctl.te @@ -17,7 +17,7 @@ role brctl_roles types brctl_t; # Local policy # -allow brctl_t self:capability net_admin; +allow brctl_t self:capability { net_admin sys_module }; allow brctl_t self:fifo_file rw_fifo_file_perms; allow brctl_t self:unix_stream_socket create_stream_socket_perms; allow brctl_t self:unix_dgram_socket create_socket_perms; Index: refpolicy-2.20210203/policy/modules/admin/logrotate.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/admin/logrotate.te +++ refpolicy-2.20210203/policy/modules/admin/logrotate.te @@ -116,6 +116,8 @@ init_dbus_chat(logrotate_t) init_stream_connect(logrotate_t) init_manage_all_units(logrotate_t) +libs_exec_lib_files(logrotate_t) + logging_manage_all_logs(logrotate_t) logging_send_syslog_msg(logrotate_t) logging_send_audit_msgs(logrotate_t) Index: refpolicy-2.20210203/policy/modules/apps/cdrecord.fc =================================================================== --- refpolicy-2.20210203.orig/policy/modules/apps/cdrecord.fc +++ refpolicy-2.20210203/policy/modules/apps/cdrecord.fc @@ -1,3 +1,4 @@ /usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0) +/usr/bin/cdrskin -- gen_context(system_u:object_r:cdrecord_exec_t,s0) /usr/bin/growisofs -- gen_context(system_u:object_r:cdrecord_exec_t,s0) /usr/bin/wodim -- gen_context(system_u:object_r:cdrecord_exec_t,s0) Index: refpolicy-2.20210203/policy/modules/apps/games.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/apps/games.te +++ refpolicy-2.20210203/policy/modules/apps/games.te @@ -92,7 +92,9 @@ optional_policy(` allow games_t self:fifo_file rw_fifo_file_perms; allow games_t self:sem create_sem_perms; allow games_t self:tcp_socket { accept listen }; +allow games_t self:process getsched; +manage_dirs_pattern(games_t, games_data_t, games_data_t) manage_files_pattern(games_t, games_data_t, games_data_t) manage_lnk_files_pattern(games_t, games_data_t, games_data_t) @@ -101,6 +103,8 @@ term_create_pty(games_t, games_devpts_t) manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t) manage_files_pattern(games_t, games_tmp_t, games_tmp_t) +allow games_t games_tmp_t:file map; + files_tmp_filetrans(games_t, games_tmp_t, { file dir }) manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) @@ -128,6 +132,8 @@ corenet_tcp_bind_generic_port(games_t) corenet_sendrecv_generic_client_packets(games_t) corenet_tcp_connect_generic_port(games_t) +corenet_udp_bind_generic_node(games_t) + dev_read_sound(games_t) dev_read_input(games_t) dev_read_mouse(games_t) @@ -136,13 +142,16 @@ dev_rw_dri(games_t) dev_write_sound(games_t) files_list_var(games_t) +files_search_mnt(games_t) files_search_var_lib(games_t) files_dontaudit_search_var(games_t) +files_map_usr_files(games_t) files_read_etc_files(games_t) files_read_usr_files(games_t) files_read_var_files(games_t) fs_dontaudit_getattr_xattr_fs(games_t) +fs_search_nfs(games_t) init_dontaudit_rw_utmp(games_t) @@ -158,6 +167,7 @@ userdom_manage_user_tmp_dirs(games_t) userdom_manage_user_tmp_files(games_t) userdom_manage_user_tmp_symlinks(games_t) userdom_manage_user_tmp_sockets(games_t) +userdom_use_user_ptys(games_t) userdom_dontaudit_read_user_home_content_files(games_t) tunable_policy(`allow_execmem',` @@ -166,6 +176,7 @@ tunable_policy(`allow_execmem',` optional_policy(` alsa_read_config(games_t) + alsa_read_home_files(games_t) ') optional_policy(` Index: refpolicy-2.20210203/policy/modules/apps/gpg.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/apps/gpg.te +++ refpolicy-2.20210203/policy/modules/apps/gpg.te @@ -137,6 +137,7 @@ logging_send_syslog_msg(gpg_t) miscfiles_read_localization(gpg_t) userdom_use_user_terminals(gpg_t) +userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) userdom_manage_user_tmp_dirs(gpg_t) userdom_manage_user_tmp_files(gpg_t) Index: refpolicy-2.20210203/policy/modules/kernel/devices.fc =================================================================== --- refpolicy-2.20210203.orig/policy/modules/kernel/devices.fc +++ refpolicy-2.20210203/policy/modules/kernel/devices.fc @@ -137,6 +137,7 @@ ifdef(`distro_suse', ` /dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vhost-scsi -c gen_context(system_u:object_r:vhost_device_t,s0) +/dev/vhost-vsock -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) Index: refpolicy-2.20210203/policy/modules/roles/sysadm.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/roles/sysadm.te +++ refpolicy-2.20210203/policy/modules/roles/sysadm.te @@ -41,6 +41,8 @@ allow sysadm_t self:netlink_tcpdiag_sock allow sysadm_t self:capability audit_write; allow sysadm_t self:system status; +kernel_request_load_module(sysadm_t) + corecmd_exec_shell(sysadm_t) corenet_ib_access_unlabeled_pkeys(sysadm_t) @@ -61,6 +63,7 @@ ubac_fd_exempt(sysadm_t) init_exec(sysadm_t) init_admin(sysadm_t) +init_rw_stream_sockets(sysadm_t) # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) Index: refpolicy-2.20210203/policy/modules/roles/unprivuser.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/roles/unprivuser.te +++ refpolicy-2.20210203/policy/modules/roles/unprivuser.te @@ -29,6 +29,10 @@ optional_policy(` ') optional_policy(` + ssh_role_template(user, user_r, user_t) +') + +optional_policy(` vlock_run(user_t, user_r) ') @@ -162,10 +166,6 @@ ifndef(`distro_redhat',` ') optional_policy(` - ssh_role_template(user, user_r, user_t) - ') - - optional_policy(` su_role_template(user, user_r, user_t) ') Index: refpolicy-2.20210203/policy/modules/system/authlogin.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/authlogin.te +++ refpolicy-2.20210203/policy/modules/system/authlogin.te @@ -389,6 +389,8 @@ domain_use_interactive_fds(utempter_t) logging_search_logs(utempter_t) +term_use_ptmx(utempter_t) + userdom_use_user_terminals(utempter_t) # Allow utemper to write to /tmp/.xses-* userdom_write_user_tmp_files(utempter_t) @@ -406,6 +408,7 @@ optional_policy(` optional_policy(` xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) + xserver_write_inherited_xsession_log(utempter_t) ') ####################################### Index: refpolicy-2.20210203/policy/modules/system/init.if =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/init.if +++ refpolicy-2.20210203/policy/modules/system/init.if @@ -3498,6 +3498,24 @@ interface(`init_reload_all_units',` allow $1 { init_script_file_type systemdunit }:service reload; ') +####################################### +## <summary> +## getattr all systemd unit files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_getattr_all_units',` + gen_require(` + attribute systemdunit; + ') + + allow $1 systemdunit:file getattr; +') + ######################################## ## <summary> ## Manage systemd unit dirs and the files in them Index: refpolicy-2.20210203/policy/modules/system/init.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/init.te +++ refpolicy-2.20210203/policy/modules/system/init.te @@ -244,7 +244,6 @@ ifdef(`init_systemd',` allow init_t self:udp_socket create_socket_perms; allow init_t self:netlink_route_socket create_netlink_socket_perms; allow init_t initrc_t:unix_dgram_socket create_socket_perms; - allow init_t self:capability2 audit_read; allow init_t self:key { search setattr write }; allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; @@ -262,7 +261,7 @@ ifdef(`init_systemd',` # setexec and setkeycreate for systemd --user allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit }; - allow init_t self:capability2 { audit_read block_suspend }; + allow init_t self:capability2 { audit_read block_suspend bpf perfmon }; allow init_t self:netlink_kobject_uevent_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; @@ -428,6 +427,7 @@ ifdef(`init_systemd',` miscfiles_watch_localization(init_t) mount_watch_runtime_dirs(init_t) + mount_watch_runtime_files_reads(init_t) # systemd_socket_activated policy mls_socket_write_all_levels(init_t) Index: refpolicy-2.20210203/policy/modules/system/logging.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/logging.te +++ refpolicy-2.20210203/policy/modules/system/logging.te @@ -510,6 +510,7 @@ seutil_read_config(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t) userdom_dontaudit_search_user_home_dirs(syslogd_t) +userdom_search_user_runtime_root(syslogd_t) ifdef(`init_systemd',` # for systemd-journal @@ -549,6 +550,8 @@ ifdef(`init_systemd',` systemd_manage_journal_files(syslogd_t) udev_read_runtime_files(syslogd_t) + userdom_list_user_tmp(syslogd_t) + userdom_read_user_tmp_symlinks(syslogd_t) ') ifdef(`distro_gentoo',` Index: refpolicy-2.20210203/policy/modules/system/lvm.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/lvm.te +++ refpolicy-2.20210203/policy/modules/system/lvm.te @@ -105,10 +105,13 @@ files_read_etc_files(clvmd_t) files_list_usr(clvmd_t) fs_getattr_all_fs(clvmd_t) +fs_getattr_pstore_dirs(lvm_t) fs_search_auto_mountpoints(clvmd_t) +fs_search_cgroup_dirs(lvm_t) fs_dontaudit_list_tmpfs(clvmd_t) fs_dontaudit_read_removable_files(clvmd_t) fs_rw_anon_inodefs_files(clvmd_t) +fs_search_bpf(lvm_t) storage_dontaudit_getattr_removable_dev(clvmd_t) storage_manage_fixed_disk(clvmd_t) @@ -167,7 +170,6 @@ optional_policy(` allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource }; dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; -# LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; @@ -298,6 +300,8 @@ selinux_compute_user_contexts(lvm_t) storage_relabel_fixed_disk(lvm_t) storage_dontaudit_read_removable_device(lvm_t) +storage_getattr_removable_dev(lvm_t) + # LVM creates block devices in /dev/mapper or /dev/<vg> # depending on its version # LVM(2) needs to create directories (/dev/mapper, /dev/<vg>) Index: refpolicy-2.20210203/policy/modules/system/modutils.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/modutils.te +++ refpolicy-2.20210203/policy/modules/system/modutils.te @@ -34,6 +34,7 @@ ifdef(`init_systemd',` # allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config }; +allow kmod_t self:lockdown confidentiality; allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal }; # for the radeon/amdgpu modules dontaudit kmod_t self:capability sys_admin; Index: refpolicy-2.20210203/policy/modules/system/mount.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/mount.te +++ refpolicy-2.20210203/policy/modules/system/mount.te @@ -98,12 +98,14 @@ files_list_all_mountpoints(mount_t) files_dontaudit_write_all_mountpoints(mount_t) files_dontaudit_setattr_all_mountpoints(mount_t) +fs_getattr_binfmt_misc_fs(mount_t) fs_getattr_xattr_fs(mount_t) fs_getattr_tmpfs(mount_t) fs_getattr_rpc_pipefs(mount_t) fs_getattr_cifs(mount_t) fs_getattr_nfs(mount_t) fs_mount_all_fs(mount_t) +fs_manage_tmpfs_dirs(mount_t) fs_unmount_all_fs(mount_t) fs_remount_all_fs(mount_t) fs_relabelfrom_all_fs(mount_t) Index: refpolicy-2.20210203/policy/modules/system/raid.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/raid.te +++ refpolicy-2.20210203/policy/modules/system/raid.te @@ -60,6 +60,7 @@ domain_use_interactive_fds(mdadm_t) files_read_etc_files(mdadm_t) files_read_etc_runtime_files(mdadm_t) files_dontaudit_getattr_all_files(mdadm_t) +files_search_tmp(mdadm_t) fs_getattr_all_fs(mdadm_t) fs_list_auto_mountpoints(mdadm_t) Index: refpolicy-2.20210203/policy/modules/system/selinuxutil.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/selinuxutil.te +++ refpolicy-2.20210203/policy/modules/system/selinuxutil.te @@ -368,14 +368,19 @@ fs_list_inotifyfs(restorecond_t) fs_relabelfrom_noxattr_fs(restorecond_t) fs_getattr_pstorefs(restorecond_t) +logging_watch_generic_logs_dir(restorecond_t) + selinux_validate_context(restorecond_t) selinux_compute_access_vector(restorecond_t) selinux_compute_create_context(restorecond_t) selinux_compute_relabel_context(restorecond_t) selinux_compute_user_contexts(restorecond_t) +seutil_read_file_contexts(restorecond_t) files_relabel_non_auth_files(restorecond_t ) files_dontaudit_read_all_symlinks(restorecond_t) +files_watch_etc_dirs(restorecond_t) +files_watch_runtime_dirs(restorecond_t) auth_use_nsswitch(restorecond_t) logging_send_syslog_msg(restorecond_t) @@ -416,6 +421,8 @@ allow run_init_t self:netlink_audit_sock # the failed access to the current directory dontaudit run_init_t self:capability { dac_override dac_read_search }; +kernel_getattr_proc(run_init_t) + corecmd_exec_bin(run_init_t) corecmd_exec_shell(run_init_t) @@ -585,6 +592,7 @@ allow setfiles_t { policy_src_t policy_c allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; allow setfiles_t file_context_t:file map; +kernel_read_kernel_sysctls(setfiles_t) kernel_read_system_state(setfiles_t) kernel_relabelfrom_unlabeled_dirs(setfiles_t) kernel_relabelfrom_unlabeled_files(setfiles_t) Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.te +++ refpolicy-2.20210203/policy/modules/system/sysnetwork.te @@ -61,7 +61,7 @@ allow dhcpc_t self:capability { dac_over dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config }; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; +allow dhcpc_t self:process { setrlimit getsched getcap setcap setfscreate ptrace signal_perms }; allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; Index: refpolicy-2.20210203/policy/modules/system/udev.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/udev.te +++ refpolicy-2.20210203/policy/modules/system/udev.te @@ -43,6 +43,7 @@ ifdef(`enable_mcs',` allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource }; dontaudit udev_t self:capability sys_tty_config; allow udev_t self:capability2 { wake_alarm block_suspend }; +allow udev_t self:lockdown confidentiality; allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; @@ -74,6 +75,7 @@ manage_files_pattern(udev_t, udev_rules_ manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t) manage_dirs_pattern(udev_t, udev_runtime_t, udev_runtime_t) +allow udev_t udev_runtime_t:dir watch; manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) @@ -120,6 +122,7 @@ domain_dontaudit_ptrace_all_domains(udev files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) files_read_etc_files(udev_t) +files_read_var_lib_symlinks(udev_t) files_mmap_read_kernel_modules(udev_t) files_exec_etc_files(udev_t) files_getattr_generic_locks(udev_t) @@ -129,6 +132,7 @@ fs_getattr_all_fs(udev_t) fs_list_inotifyfs(udev_t) fs_read_cgroup_files(udev_t) fs_rw_anon_inodefs_files(udev_t) +fs_search_tmpfs(udev_t) fs_search_tracefs(udev_t) mcs_ptrace_all(udev_t) @@ -153,6 +157,10 @@ auth_read_pam_console_data(udev_t) auth_domtrans_pam_console(udev_t) auth_use_nsswitch(udev_t) +# for /run/console-setup +fs_manage_tmpfs_dirs(udev_t) +fs_manage_tmpfs_files(udev_t) + init_read_utmp(udev_t) init_domtrans_script(udev_t) # systemd-udevd searches /run/systemd @@ -260,9 +268,6 @@ ifdef(`init_systemd',` optional_policy(` init_dbus_chat(udev_t) ') -',` - fs_manage_tmpfs_dirs(udev_t) - fs_manage_tmpfs_files(udev_t) ') optional_policy(` Index: refpolicy-2.20210203/policy/modules/system/unconfined.te =================================================================== --- refpolicy-2.20210203.orig/policy/modules/system/unconfined.te +++ refpolicy-2.20210203/policy/modules/system/unconfined.te @@ -39,6 +39,7 @@ logging_send_syslog_msg(unconfined_t) logging_run_auditctl(unconfined_t, unconfined_r) mount_run_unconfined(unconfined_t, unconfined_r) +mount_watch_runtime_files_reads(unconfined_t) seutil_run_setfiles(unconfined_t, unconfined_r) seutil_run_semanage(unconfined_t, unconfined_r)